services/boot/gateway.go

   1 //+build ignore
   2
   3 package main
   4
   5 import (
   6         "context"
   7         "fmt"
   8         "path"
   9 )
  10
  11 var gateway = &nginxGatewayBooter{tmpl: `
  12 daemon off;
  13 error_log stderr info;          # Yes, must be specified here _and_ cmdline
  14 events {
  15 }
  16 http {
  17   access_log {{keyOrDefault "service/gateway/access_log" "/var/log/arvados/gateway.log" | toJSON}} combined;
  18   upstream arv-git-http {
  19     server localhost:{{GITPORT}};
  20   }
  21   server {
  22     {{if keyExists"service/gateway/ports/tlsGit"}}
  23     listen *:{{key "service/gateway/ports/tlsGit"}} ssl default_server;
  24     {{end}}
  25     listen *:{{keyOrDefault "service/gateway/ports/tlsGateway" 443}} ssl;
  26     server_name git.{{key "service/gateway/domain"}};
  27     ssl_certificate {{SSLCERT}};
  28     ssl_certificate_key {{SSLKEY}};
  29     location  / {
  30       proxy_pass http://arv-git-http;
  31     }
  32   }
  33   upstream keepproxy {
  34     server localhost:{{KEEPPROXYPORT}};
  35   }
  36   server {
  37     listen *:{{KEEPPROXYSSLPORT}} ssl default_server;
  38     server_name _;
  39     ssl_certificate {{SSLCERT}};
  40     ssl_certificate_key {{SSLKEY}};
  41     location  / {
  42       proxy_pass http://keepproxy;
  43     }
  44   }
  45   upstream keep-web {
  46     server localhost:{{KEEPWEBPORT}};
  47   }
  48   server {
  49     listen *:{{KEEPWEBSSLPORT}} ssl default_server;
  50     server_name ~^(?<request_host>.*)$;
  51     ssl_certificate {{SSLCERT}};
  52     ssl_certificate_key {{SSLKEY}};
  53     location  / {
  54       proxy_pass http://keep-web;
  55       proxy_set_header Host $request_host:{{KEEPWEBPORT}};
  56       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  57     }
  58   }
  59   server {
  60     listen *:{{KEEPWEBDLSSLPORT}} ssl default_server;
  61     server_name ~.*;
  62     ssl_certificate {{SSLCERT}};
  63     ssl_certificate_key {{SSLKEY}};
  64     location  / {
  65       proxy_pass http://keep-web;
  66       proxy_set_header Host download:{{KEEPWEBPORT}};
  67       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  68       proxy_redirect //download:{{KEEPWEBPORT}}/ https://$host:{{KEEPWEBDLSSLPORT}}/;
  69     }
  70   }
  71   upstream ws {
  72     server localhost:{{WSPORT}};
  73   }
  74   server {
  75     listen *:{{WSSPORT}} ssl default_server;
  76     server_name ~^(?<request_host>.*)$;
  77     ssl_certificate {{SSLCERT}};
  78     ssl_certificate_key {{SSLKEY}};
  79     location  / {
  80       proxy_pass http://ws;
  81       proxy_set_header Upgrade $http_upgrade;
  82       proxy_set_header Connection "upgrade";
  83       proxy_set_header Host $request_host:{{WSPORT}};
  84       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  85     }
  86   }
  87 }
  88 `}
  89
  90 type nginxGatewayBooter struct {
  91         tmpl string
  92 }
  93
  94 func (ngb *nginxGatewayBooter) Boot(ctx context.Context) error {
  95         cfg := cfg(ctx)
  96
  97         if ngb.conf == "" {
  98                 ngb.conf = ngb.name
  99         }
 100         if ngb.tmpl == "" {
 101                 ngb.tmpl = "{}"
 102         }
 103
 104         rootToken, err := ioutil.ReadFile(path.Join(cfg.DataDir, "vault-root-token.txt"))
 105         if err != nil {
 106                 return err
 107         }
 108
 109         cfgPath := path.Join(cfg.DataDir, "gateway.consul-template.hcl")
 110         if err = atomicWriteJSON(cfgPath+".ctmpl", map[string]interface{}{
 111                 "consul": map[string]interface{}{
 112                         "address": fmt.Sprintf("0.0.0.0:%d", cfg.Ports.ConsulHTTP),
 113                 },
 114                 "vault": map[string]string{
 115                         "address": fmt.Sprintf("http://0.0.0.0:%d", cfg.Ports.VaultServer),
 116                         "token":   rootToken,
 117                 }}, 0600); err != nil {
 118                 return err
 119         }
 120
 121         tmplPath := path.Join(cfg.DataDir, "gateway.nginx.conf")
 122         if err = atomicWriteFile(tmplPath+".ctmpl", []byte(ngb.tmpl), 0644); err != nil {
 123                 return err
 124         }
 125
 126         return Series{
 127                 &osPackage{
 128                         Debian: "nginx",
 129                 },
 130                 &supervisedService{
 131                         name: ngb.name,
 132                         cmd:  path.Join(cfg.UsrDir, "bin", "consul-template"),
 133                         args: []string{
 134                                 "-config=" + cfgPath,
 135                                 "-template=" + tmplPath + ".ctmpl:" + tmplPath,
 136                                 "-exec",
 137                                 "nginx",
 138                         },
 139                         env: map[string]string{
 140                                 "VAULT_TOKEN": rootToken,
 141                         },
 142                 },
 143         }.Boot(ctx)
 144 }